Canarys | IT Services

Blogs

Authorize access to VSTS REST APIs with OAuth 2.0

Share

Here in this blog we will discuss how can we implement OAuth authentication to VSTS REST API’s using access Token.

Authenticate your web app's users to access the REST APIs so that your app doesn't have to keep asking for their usernames and passwords. Visual Studio Team Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your app.

Below are the steps we need to carry out to get the Access token

  • Register your app
  • Authorise your app
  • Get access and refresh token for the use
  • Use the access token
  • Refresh an expired access token

   

        oauth-overview_oAuth

                                     Figure: Token based authentication for VSTS REST APIs

Let us discuss each step-in detail:

1.Register your app:

Here is the URL to register your app https://app.vssps.visualstudio.com/app/register.

There are three categories of information it requires while registering the app as follows.

Company information:

CompanyCan

Application information:

application_oAuth

Authorised scope:

User should make sure that he must select the scopes that your application needs, and then use the exact same scopes when you authorize your app

Example for scopes are as follows:

scopes_oAuth

After selecting required scopes for the application, user have to click on the create application button. After successful creation of the application user will get the  information as shown below:

infoi_oAuth

Once the user successfully register app he must call the authorization URL and pass app ID and authorized scopes when he wants to have a user authorize his app to access his/her Visual Studio Team Services account. You'll call the access token URL when you want to get an access token to call a Visual Studio Team Services REST API.

2.Authorize your app:

To authorize the registered app, user must call the authorization URL as below:

https://app.vssps.visualstudio.com/oauth2/authorize?client_id={appID}&response_type=Assertion &state={state} &scope={scope}&redirect_uri={callback URL}

here is the C# code to authorize the application

public ActionResult Verify()

{

string url = "https://app.vssps.visualstudio.com/oauth2/authorize?client_id={0} &response_type=Assertion&state=User1&scope=vso.dashboards_managevso.project_managevso.work_write&redirect_uri={1}";

string redirectUrl = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];

string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];

url = string.Format(url, clientId, redirectUrl);

return Redirect(url);

}

We are reading Client id and RedirectUri from the AppSetting part of web.config file where the values are stored.

When you call Visual Studio Team Services to ask for a user's authorization, and the user grants it, Visual Studio Team Services will redirect the user's browser to your authorization callback URL with the authorization code for that authorization. The callback URL must be a secure connection (https) to transfer the code back to the app. It must exactly match the URL registered in your app. If it doesn't, a 400 error page is displayed instead of a page asking the user to grant authorization to your app.     

Visual Studio Team Services will ask the user to authorize your app.

Once the user accepts, Team Services will redirect the user's browser to your callback URL, including a short-lived authorization code and the state value provided in the authorization URL:

https://fabrikam.azurewebsites.net/myapp/oauth-callback ?code={authorization code} &state=User1

3.Get access token and refresh token using authorization code:

Now use the authorization code to request an access token (and refresh token) for the user.

POST https://app.vssps.visualstudio.com/oauth2/token

Request header

Content-Type: application/x-www-form-urlencoded

Content-Length: 1322

HTTP request body

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}

below is the C# code to get access token and refresh token:

callback_oAuth

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Reach Us

With Canarys,
Let’s Plan. Grow. Strive. Succeed.